# Using namespace-scoped custom resources {% hint style="warning" %} The advanced configuration options explained on this page require an existing helm-based deployment on K8s with CRD version v1beta2. See here for instructions: [Install Using Helm - new flow (beta)](/getting-started/start-with-kubernetes/install-using-helm-new-flow-beta.md) {% endhint %} open-appsec's default custom resources, which are used for the declarative configuration when locally managing open-appsec, are **cluster-scoped** custom resources, which means they are not associated with a specific namespace but instead defined on cluster level. In certain deployment scenarios, you might only have access to a specific namespace and do not have the permission to deploy any cluster-scoped custom resources on a given Kubernetes cluster.\ Or you might be an MSSP who only provides one or more dedicated namespaces to your customers. Beginning with the open-appsec CRD version v1beta2 for Kubernetes, open-appsec now supports also namespace-scoped custom resources for the configuration as an alternative to the default cluster-scoped custom resources. ## Using namespace-scoped custom resources When you [deploy open-appsec using helm](/getting-started/start-with-kubernetes/install-using-helm-new-flow-beta.md), you can optionally set `appsec.crdsScope` attribute to `namespaced` as shown below to configure open-appsec for applying the configuration declaratively defined in namespace-scoped open-appsec custom resources instead of the regular cluster-scoped custom resources. ```bash helm install ... --set appsec.crdsScope=namespaced ... ``` **open-appsec, starting with v1beta2, provides every custom resource in two versions, a cluster-scoped version and an alternative namespace-scoped version.** Once you have set `crdsScope` to `namespaced` for you open-appsec deployment as explained above, make sure to **provide the desired configuration for that specific deployment** **using the dedicated namespace-scoped CRDs**, as shown in the examples below. {% hint style="warning" %} Namespace-scoped custom resources **must** reside in the exact same namespace, in which also the open-appsec agent is deployed, in order to be applied by an agent which is set to CRD scope `namespaced`. {% endhint %} ### Examples: To define **cluster-scoped** custom resources for defining an open-appsec **policy**, use kind:\ \&#xNAN;**`Policy`**\ To define **namespace-scoped** custom resources for defining an open-appsec **policy**, use kind:\ \&#xNAN;**`PolicyNS`** To define **cluster-scoped** custom resources for defining a **threat prevention practice**, use kind:\ \&#xNAN;**`ThreatPreventionPractice`**\ To define **namespace-scoped** custom resources for defining a **threat prevention practice**, use kind:**`ThreatPreventionPracticeNS`** **The same naming pattern applies to all other custom resource definition types which open-appsec supports for declarative configuration.** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.openappsec.io/getting-started/start-with-kubernetes/configuration-using-crds-special-options-for-large-scale-deployments/using-namespace-scoped-custom-resources.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.